Cisco Systems, one of the companies mentioned in a Der Spiegel report on the NSA's catalog of backdoors into various networks and technologies, said that it is investigating if the NSA has in some way compromised the networking hardware equipment it provides to companies throughout the world. In a blog post on Sunday following the report being published, Cisco said it was "deeply concerned with anything that may impact the integrity of our products or our customers’ networks" and was trying to find out more about the claims.

"We are committed to avoiding security issues in our products, and handling issues professionally when they arise," wrote Cisco Chief Security Officer John Stewart. "Our Trustworthy Systems initiatives, Cisco Secure Development Lifecycle, Cisco Common Crypto models, and Product Security Incident Response Team (PSIRT) and Vulnerability Disclosure policies are all industry-leading examples of our commitment to our customers. This is central to how we earn and maintain trust."

"At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues," he continued. "If we learn of a security weakness in any of our products, we will immediately address it."

"As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products," he concluded.

Cisco also published an official security response on Sunday, saying that it had formally requested Der Spiegel's documents and noted that "Cisco development policies prohibit any product behaviors that weaken the security posture of a Cisco device."

Cisco's claim, as GIGA OM points out in its reporting, isn't exactly one-hundred percent true. All U.S. networking equipment manufacturers are required by law (called "CALEA") to build surveillance capabilities into their products. These are called "lawful intercept" capabilities, which are in fact built into its equipment that allow voice and data wiretaps. Likely Cisco's point is that the U.S. government is not using these built-in features (which one would think they would need a court order of some kind to use on specific targets) but something altogether different that they have no knowledge of.

Comments

There's a slew of issues on consumer based products that range from being able to dump the whole entire router settings to your web browser, to being able to reset settings via wifi management on various firmwares. Cisco previously completely ignored these vulnerabilities on the EA series routers for almost a year.